Industry News
Tokyo-based antivirus firm Trend Micro is warning in its blog of a large Trojan attack that has proven especially troublesome for computers in Italy. The attack involved a blizzard of seemingly legitimate Web pages loaded with malware that could plant a keylogger to steal passwords or turn machines into proxy servers for other attacks. “Trend Micro […]
Tokyo-based antivirus firm Trend Micro is warning in its blog of a large Trojan attack that has proven especially troublesome for computers in Italy. The attack involved a blizzard of seemingly legitimate Web pages loaded with malware that could plant a keylogger to steal passwords or turn machines into proxy servers for other attacks.
“Trend Micro data indicates that tens of thousands of users worldwide have already accessed compromised URLs, oblivious to the threat as a result of their natural Web surfing activity,” the vendor said in an emailed statement. “The initial HTML malware takes advantage of a vulnerability in so-called iFrames that are commonly used on Web sites and commonly exploited. Trend Micro researchers believe it was initially probably an automated attack, created from a computer Trojan-making kit.”
On the IP page where the affected browser is initially redirected, Trend Micro said the malware toolkit statistics page displays information on how users visiting legitimate Italian Web sites are getting redirected to the host from where the download chain begins.
The spreading mechanism is a complex chain, but it relies on Web site owners being unaware that they are compromised, and Web site users being unaware that surfing through seemingly legitimate pages can actually be part of an infection process. Trend Micro outlined the attack’s various characteristics:
1.) First-level URLs are the compromised or hacked legitimate Web sites. They are legitimate sites primarily Italian in origin and mostly advertising local services for tourism, hotels, auto-services, music, lotto and so on.
2.) These Web sites were hacked and a malicious IP address (HTML_IFRAME.CU) was inserted or injected into the HTML code of the legitimate site so that users are redirected to another site with a Javascript downloader (JS_DLOADER.NTJ). These are the second- and third-level URLs.
3.) The third-level URL in turn downloads another Trojan into the target system from another fourth-level URL. This is the URL for TROJ_SMALL.HCK.
4.) The Trojan in turn downloads two additional Trojans from two different fifth-level URLs. These are the URLs for TROJ_AGENT.UHL and TROJ_PAKES.NC.
5.) The PAKES Trojan then downloads an information stealer, a variant of the SINOWAL Trojan, from another sixth-level URL. Once the user visits any of the said Web sites, the affected computer is directed to another IP address that contains the malicious JavaScript.
“Trying to cause a buffer overflow on the user’s Internet browser, JS_DLOADER.NTJ exploits browser vulnerabilities,” Trend Micro said. “Through this, it is able to download TROJ_SMALL.HCK. On initial testing, TrendLabs researchers observed that this malicious JavaScript appears to be browser-aware in that it can choose which vulnerability to take advantage of depending on the browser.”
Richard Bejtlich wants the world to know that he’s not going anywhere. Bejtlich, president and CEO of TaoSecurity, is joining General Electric as director of incident response, and he’s worried about assumptions that this spells the end of his popular TaoSecurity blog and other pursuits. Some suggest his new job will leave him […]
Richard Bejtlich wants the world to know that he’s not going anywhere.
Bejtlich, president and CEO of TaoSecurity, is joining General Electric as director of incident response, and he’s worried about assumptions that this spells the end of his popular TaoSecurity blog and other pursuits.
Some suggest his new job will leave him too busy for his other pursuits. Here’s one take from the Rational Security blog: “It’s a bittersweet moment as while GE gains an amazing new employee, the public loses one of our best champions, a fantastic teacher, a great wealth of monitoring Tao knowledge and a prolific blogger.”
Bejtlich insists in his blog that he isn’t going away:
“Several of you leaving comments, posting your own blog entries, and sending me email seem to think my job at General Electric means I am dead. I am not dead, God willing. Let me reprint the second-to-last paragraph from that post: What about writing here, or articles, or books? My boss supports my blogging and writing. I have never made a practice of posting “Look what I found at this client!” and he does not expect me to start doing so at GE. You can expect to read more about the sorts of techniques I’m using to address security concerns but never incident specifics or any information which would compromise my relationship with GE. The same goes for articles and books. I plan to continue writing the Snort Report and eventually write the new works listed on my books page.”
He said his blog has never been a site for “tell-all” activity, that he started it while working at Foundstone. He continued to maintain the blog while at ManTech and during his run with TaoSecurity. And so, he says, “I intend to remain blogging, time- and interest-willing.”